From d8389e3e50864447a74605d7ede3d14246bc633a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 2 May 2021 16:38:02 +0200 Subject: [PATCH] bpo-38820: Add ssl, hashlib, and hmac changes to whatsnew 3.10 (GH-25817) Signed-off-by: Christian Heimes --- Doc/library/ssl.rst | 8 +++++++ Doc/whatsnew/3.10.rst | 55 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 4d43fa0b792..afa3d87f576 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1358,6 +1358,10 @@ SSL sockets also have the following additional methods and attributes: .. versionadded:: 3.3 + .. deprecated:: 3.10 + + NPN has been superseded by ALPN + .. method:: SSLSocket.unwrap() Performs the SSL shutdown handshake, which removes the TLS layer from the @@ -1714,6 +1718,10 @@ to speed up repeated connections from the same clients. .. versionadded:: 3.3 + .. deprecated:: 3.10 + + NPN has been superseded by ALPN + .. attribute:: SSLContext.sni_callback Register a callback function that will be called after the TLS Client Hello diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst index 679522bdfe7..223ab65cfc3 100644 --- a/Doc/whatsnew/3.10.rst +++ b/Doc/whatsnew/3.10.rst @@ -974,6 +974,26 @@ Added the *root_dir* and *dir_fd* parameters in :func:`~glob.glob` and :func:`~glob.iglob` which allow to specify the root directory for searching. (Contributed by Serhiy Storchaka in :issue:`38144`.) +hashlib +------- + +The hashlib module requires OpenSSL 1.1.1 or newer. +(Contributed by Christian Heimes in :pep:`644` and :issue:`43669`.) + +The hashlib module has preliminary support for OpenSSL 3.0.0. +(Contributed by Christian Heimes in :issue:`38820` and other issues.) + +The pure-Python fallback of :func:`~hashlib.pbkdf2_hmac` is deprecated. In +the future PBKDF2-HMAC will only be available when Python has been built with +OpenSSL support. +(Contributed by Christian Heimes in :issue:`43880`.) + +hmac +---- + +The hmac module now uses OpenSSL's HMAC implementation internally. +(Contributed by Christian Heimes in :issue:`40645`.) + importlib.metadata ------------------ @@ -1109,6 +1129,30 @@ Added option to create MPTCP sockets with ``IPPROTO_MPTCP`` ssl --- +The ssl module requires OpenSSL 1.1.1 or newer. +(Contributed by Christian Heimes in :pep:`644` and :issue:`43669`.) + +The ssl module has preliminary support for OpenSSL 3.0.0 and new option +:data:`~ssl.OP_IGNORE_UNEXPECTED_EOF`. +(Contributed by Christian Heimes in :issue:`38820`, :issue:`43794`, +:issue:`43788`, :issue:`43791`, :issue:`43799`, :issue:`43920`, +:issue:`43789`, and :issue:`43811`.) + +Deprecated function and use of deprecated constants now result in +a :exc:`DeprecationWarning`. The following features have been deprecated +since Python 3.6, Python 3.7, or OpenSSL 1.1.0: +:data:`~ssl.OP_NO_SSLv2`, :data:`~ssl.OP_NO_SSLv3`, :data:`~ssl.OP_NO_TLSv1`, +:data:`~ssl.OP_NO_TLSv1_1`, :data:`~ssl.OP_NO_TLSv1_2`, +:data:`~ssl.OP_NO_TLSv1_3`, :data:`~ssl.PROTOCOL_SSLv2`, +:data:`~ssl.PROTOCOL_SSLv3`, :data:`~ssl.PROTOCOL_SSLv23`, +:data:`~ssl.PROTOCOL_TLSv1`, :data:`~ssl.PROTOCOL_TLSv1_1`, +:data:`~ssl.PROTOCOL_TLSv1_2`, :data:`~ssl.PROTOCOL_TLS`, +:func:`~ssl.wrap_socket`, :func:`~ssl.match_hostname`, +:func:`~ssl.RAND_pseudo_bytes`, :func:`~ssl.RAND_egd`, +:meth:`ssl.SSLSocket.selected_npn_protocol`, +:meth:`ssl.SSLContext.set_npn_protocols`. +(Contributed by Christian Heimes in :issue:`43880`.) + The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. @@ -1116,9 +1160,20 @@ weak RSA, DH, and ECC keys with less than 112 bits of security. Settings are based on Hynek Schlawack's research. (Contributed by Christian Heimes in :issue:`43998`.) +The deprecated protocols SSL 3.0, TLS 1.0, and TLS 1.1 are no longer +officially supported. Python does not block them actively. However +OpenSSL build options, distro configurations, vendor patches, and cipher +suites may prevent a successful handshake. + Add a *timeout* parameter to the :func:`ssl.get_server_certificate` function. (Contributed by Zackery Spytz in :issue:`31870`.) +The ssl module uses heap-types and multi-phase initialization. +(Contributed by Christian Heimes in :issue:`42333`.) + +A new verify flag :data:`~ssl.VERIFY_X509_PARTIAL_CHAIN` has been added. +(Contributed by l0x in :issue:`40849`.) + sqlite3 -------